Credential management

ABSTRACT

Described herein is an implementation of a technology for managing credentials. With an implementation, a credential manager is domain-authentication aware and concurrent authentications with multiple independent networks (e.g., domains) may be established and maintained. Moreover, a credential manager provides a credential model retrofit for legacy applications that only understand the password model. The manager provides a mechanism where the application is only a “blind courier” of credentials between the trusted part of the OS to the network and/or network resource. The manager filly insulates the application from “read” access to the credentials. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.

TECHNICAL FIELD

[0001] This invention generally relates to a technology for managingcredentials.

BACKGROUND

[0002] A typical credential manager is program module on a computer,such as a personal computer (PC). More particularly, a credentialmanager is typically part of the trusted core of an operating system(OS) of a PC. As the name implies, a credential manager handles theaccess to (e.g., reads and writes) and storage of credentials, which areused to gain access to networks (e.g., domains) and network resources.

[0003] No conventional credential manager provides a mechanism toretrofit legacy system—that only have provisions for traditionalusername/password authorization model—to use a non-passwordauthorization model (e.g., X.509 Certificates).

[0004] Some conventional credential managers provide a mechanism bindinga minimum set of credentials to resources requiring authentication. Thegoal of these conventional managers is to provide a “single sign-on”that gives access to a variety of resources across one or more networksand access to one or more networks. However, none of these conventionalcredential managers employs a single sign-on mechanism thatautomatically and transparently provides credentials for accessing themultiple resources within an authorized domain to the multipleresources.

[0005] Credentials

[0006] A “credential” is a generic term for data used to verify theidentity of an entity. An entity may be a server, a client, a service,etc. Typically, it is a user. Common forms of credentials includeusername/password model, X.509 Certificates, and bio-metricidentification. There are two general types of credentials: Domaincredentials and generic credentials

[0007] Domain Credentials. Typically, these are used by operating system(OS) components and authenticated by a local security authority (LSA).LSA is a typically a low-level program module (e.g., part of the trustedcore of the OS) that ensures that the entity attempting to access thesystem actually has permission to access the system.

[0008] Typically, domain credentials are established for a user when aregistered security support provider (SSP), such as Kerberos,authenticates logon data provided by the user. The logon credentials arecached by the OS so that a single sign-on gives the user access to avariety of resources. For example, network logons can occurtransparently, and access to protected system objects can be grantedbased on a user's cached domain credentials.

[0009] Domain credentials are protected by the operating system; onlycomponents running in-process with the LSA can read and write domaincredentials. Applications are typically limited to writing domaincredentials.

[0010] Generic Credentials. These are defined and authenticated byapplications that manage authorization and security directly, instead ofdelegating these tasks to the operating system. For example, anapplication can require users to enter a user name and password providedby the application or to produce a certificate in order to access a Website.

[0011] Applications may prompt users for application-defined (generic)credential information such as username, certificate, smart card, orpassword. The information entered by the user is returned to theapplication. Authenticating this information is the responsibility ofthe application—not the OS.

[0012] Unlike domain credentials, generic credentials may be read andwritten by user processes (e.g., applications).

[0013] One way of implementing generic credentials is via “cookies.” Acookie is a message given to a Web browser by a Web server. The browsertypically stores the message in a text file. The message is then sentback to the server each time the browser requests a page from theserver.

[0014] One of the main purposes of cookies is to identify and authorizeusers. When a user initially enters a Web site, the user may be asked tofill out a form providing identification information. This informationis packaged into a cookie and sent to the Web browser, which stores itfor later use. The next time the user goes to the same Web site, thebrowser will send the cookie to the Web server. The server can use thisinformation to identify and authenticate the user.

[0015] In this example, the application program controls thecredentials—the application program can both read and write thecredentials. Thus, these credentials are generic.

[0016] Identification and Authentication Models

[0017] Existing software authentication systems typically are based on ausername and password pair model (“password model”). In this model, theusername identifies a user and the password verifies such identity. Theuse of this model is extensive and there is substantial software writtento use this form of credential.

[0018] However, there are non-password based user credentials, such asX.509 Certificates or bio-metric identification/authentication models.In order to upgrade software systems to use non-password based usercredentials, major rewrites are required if conventional techniques areused.

[0019] Single Sign-On

[0020] Traditional methods of providing single sign-on usually requirethat a distinct credential be used for each unique application orresource that requires authentication. This can result in the storage oflarge numbers of user credentials that must be securely maintained forthe user and managed.

[0021] Conventional Credential Managers

[0022] No conventional credential manager is domain-authenticationaware. In other words, no conventional manager provides a mechanismwhere authentication by one resource in a trust network enablesautomatic (without manual user input) authenticated access to allresources in that trust network.

[0023] No conventional credential manager provides a mechanism forconcurrent authentications with multiple independent networks (e.g.,domains).

[0024] No conventional credential manager has an encrypted databasestructure of user's credentials, where the entire structure is encrypted(as opposed to encrypting each credential separately).

[0025] No conventional credential manager provides a credential modelretrofit for legacy applications that only understand the passwordmodel. No conventional manager marshals high-level credentials (such asa certificate) so that the high-level credential appears to be alow-level credential (such as a user/password) to legacy applications.

[0026] No conventional credential manager provides a mechanism where theapplication is only a “blind courier” of credentials between the trustedpart of the OS to the network and/or network resource. No conventionalmanager fully insulates the application from “read” access to thecredentials.

SUMMARY

[0027] Described herein is a technology for managing credentials. Withan implementation of this technology, described herein, a credentialmanager is domain-authentication aware. In other words, anauthentication by one resource in a trust network enables automatic(without manual user input) authenticated access to all resources inthat trust network.

[0028] With an implementation of this technology, concurrentauthentications with multiple independent networks (e.g., domains) maybe established and maintained.

[0029] With an implementation of this technology, a credential managerprovides a credential model retrofit for legacy applications that onlyunderstand the password model. The manager marshals high-levelcredentials (such as a certificate) so that the high-level credentialappears to be a low-level credential (such as a user/password) to legacyapplications.

[0030] With an implementation of this technology, a credential managerprovides a mechanism where the application is only a “blind courier” ofcredentials between the trusted part of the OS to the network and/ornetwork resource. The manager fully insulates the application from“read” access to the credentials.

[0031] This summary itself is not intended to limit the scope of thispatent. Moreover, the title of this patent is not intended to limit thescope of this patent. For a better understanding of the presentinvention, please see the following detailed description and appendingclaims, taken in conjunction with the accompanying drawings. The scopeof the present invention is pointed out in the appending claims.

BRIEF DESCRIPTION OF THE DRAWINGS

[0032] The same numbers are used throughout the drawings to referencelike elements and features.

[0033]FIG. 1 is a schematic block diagram showing a networkingenvironment in which an embodiment of the invention claimed herein maybe implemented and an architecture in accordance with an implementationof the invention claimed herein.

[0034]FIG. 2 is a schematic block diagram showing data structureemployed by an embodiment of the invention claimed herein.

[0035]FIG. 3 is a flow diagram showing a methodological implementationof the invention claimed herein.

[0036]FIG. 4 is a flow diagram showing another methodologicalimplementation of the invention claimed herein.

[0037]FIG. 5 is an example of a computing operating environment capableof implementing an implementation (wholly or partially) of the inventionclaimed herein.

DETAILED DESCRIPTION

[0038] The following description sets forth specific embodiments of acredential management that incorporate elements recited in the appendedclaims. These embodiments are described with specificity in order tomeet statutory written description, enablement, and best-moderequirements. However, the description itself is not intended to limitthe scope of this patent.

[0039] Described herein are one or more exemplary implementations ofcredential management. The inventors intend these exemplaryimplementations to be examples. The inventors do not intend theseexemplary implementations to limit the scope of the claimed presentinvention. Rather, the inventors have contemplated that the claimedpresent invention might also be embodied and implemented in other ways,in conjunction with other present or future technologies.

[0040] An example of an embodiment of a credential management may bereferred to as an “exemplary cred-manager.”

[0041] Introduction

[0042] The one or more exemplary implementations, described herein, ofthe present claimed invention may be implemented (whole or in part)within a credential management architecture 100 and/or by a computingenvironment like that shown in FIG. 5.

[0043] The “domain credentials” are the focus of the exemplaryimplementations, described herein, of the present claimed invention.Unless otherwise specified or apparent from the context, references to“credentials” within the description of the exemplary implementationsare specifically to “domain credentials.”

[0044] Exemplary Cred-Manager

[0045]FIG. 1 shows a networking environment and the credentialmanagement architecture 100. Specifically, FIG. 1 illustrates a computer130, like one shown in FIG. 5. Within the computer 130 is the credentialmanagement architecture 100. Operatively coupled to the computer 130 areone or more networks, such as networks 110 a, 110 b, and 110 c. Thecomputer 130 may be connected to any one of these networks, but forillustrative purposes, it is connected to network 110 c, which isconnected to network 110 b, which is connected to network 110 a.

[0046] These networks 110 a-c may be considered domains having sharablenetwork resources. These networks may be local area networks (LANs) orwide area networks (WANs). The networks may host network applicationssuch as Web site(s), e-mail, databases, file servers, data centers, FTPservers, etc. In general, each domain authenticates user access via adomain credential. Such credential provides access to domain resourcesand applications. Of course, particular resources and applications mayhave their own credential that differs from the common credential forthe entire domain.

[0047] The credential management architecture 100 includes theapplication layer 140 and the secured operating system (OS) layer 150.

[0048] The application layer 140 is also called the user layer becauseusers (as well as applications) have control at this level. This layer140 is also called the untrusted computing layer (UTCL) becauseprocesses in this layer are not provided full access to credentials orother security features. Applications 142 and 144 are illustrated inFIG. 1. Examples of such applications include Web browser, e-mailsoftware, etc.

[0049] The secured operating system (OS) layer 150 is also called thetrusted computing base (TCB). A specific implementation of the TCB maybe called the local security authority (LSA). The application and userof the UTCL 140 cannot meddle in the security processes of the TCB 150.However, the processes of the UTCL 140 may request access to credentialsfrom the TCB 150. A security process of the TCB 150 may respond to arequest from a UTCL process.

[0050] A credential management module 152 is one such security processin the TCB 150. As it name implies, it manages the credentials of thecomputer 130. More specifically, it manages the credentials of each userof the computer 130.

[0051] Although not illustrated in FIG. 1, credential management module152 may be composed a multiple submodules. Some of these may beapplication-programming interfaces (APIs) that the applications may callto access credentials. More details about such APIs are provided in the“Exemplary Implementation employing APIs” section below. One or moreother submodules may control the actual access of a user's credentials(including reads and writes) and control the encryption and decryptionof credential databases, such as databases 154 a-c. Herein, thissubmodule may be called the “credential management submodule.”

[0052] Encrypted Credential Data Structure

[0053]FIG. 1 illustrates multiple encrypted credential databases 154 a-cwith a graphical representation of a “user” associated with eachdatabase. This is indicates that each database is associated with aparticular user. The credentials for each user is collected and storedtogether within a database structure (e.g., databases 154 a-c)associated with a specific user. That database is encrypted.

[0054]FIG. 2 shows an example of an encrypted credential database (i.e.,data structure) 154 a, which is associated with a specific user. Thehierarchy of the credential data structure 154 a is represented at 200.Block 210 identifies the user. Under the user block 210 are multiplecredentials, such as credentials 212 a, 212 b, 212 c, and 212 n. Thesecredentials are not individually encrypted. Rather, the entiredatastructure (such as 154 a) is encrypted.

[0055] Credential Retrofit

[0056] Unlike conventional credential managers, the exemplarycred-manager provides a mechanism to retrofit legacy systems—that onlyhave provisions for traditional username/password authorization model—touse a non-password authorization model (e.g., X.509 Certificates).

[0057] The exemplary cred-manager allows the use of non-password basedcredentials as if they were usemame and password pairs in order to avoidextensive modifications of existing applications.

[0058] The exemplary cred-manager provides a credential model retrofitfor legacy applications that only understand the password model. Themanager marshals high-level credentials (such as a certificate) so thatthe high-level credential appears to be a low-level credential (such asa user/password) to legacy applications. The exemplary cred-managerconverts high-level credentials into a form so that they may beunderstood by the legacy applications.

[0059] Marshalling

[0060] Marshaling is the mechanism by which a description of anon-password credential can be passed to the TCB using an interfacedesigned to support only password credentials. See the marshalling APIs,described in the “Exemplary Implementation employing APIs “sectionbelow, for details of an implementation that performs marshalling.

[0061] For illustration purposes, the following describes two differentexemplary situations where credentials are marshaled:

[0062] 1. The exemplary cred-manager creates a reference to acertificate by taking the certificate hash and computing a text stringfor that hash. The certificate hash is a value that uniquely identifiesa certificate. This text string is used in two places:

[0063] a. In a credential stored in the credential manager, it is usedin the UserName field of the credential as the reference to thecertificate.

[0064] b. When the credential is not stored, it is returned in theUserName field as a reference to the certificate. The entire purpose ofreturning this marshaled form is to support passing the reference tointerfaces that only support password credentials.

[0065] 2. The exemplary cred-manager creates a reference to a credentialstored in credential manager. See the “Blind Courier” section below formore info on this. In one implementation, the exemplary cred-managerreturns a UserName from dialog box prompting the user for the user name.Specifically, for password credentials, the UserName field returns theUserName in the clear and the Password field returns the password in theclear. For certificate credentials, the UserName field returns themarshaled cert reference and the Password field returns the “PIN”protecting the private key associated with the cert.

[0066] Marshaling Example

[0067] For this example, assume that one marshals a reference to acertificate and that certificate has a hash of “68151c37ea8a456081cefd14 1a3f8f7c 7a7b7b9a”. An example of a marshaled form is“@@B3wRFoBWRKqOF97cg894Pao5e7pH”

[0068] In this example, the marshaled form always has @@ at the front.Then bytes are converted to characters simply by looking up 6-bit valuesfrom a table, such as the table shown in the routine CredpMarshalCharbelow. The first character after the @@ is always the type of themarshaled string. In this case, it is a certificate so the type isCertCredential (from the CRED_MARSHAL_TYPE enum below). That's a 1.Looking up 1 in the CredpMarshalChar array and you note that it maps toa “B”. Hence the string above starts out as “@@B”.

[0069] The remaining bytes (the cert hash itself) are marshaled via theroutine CredpMarshalBytes (included below). It breaks 3 bytes of inputinto 4 6-bit fields then calls CredpMarshalChar. In this example, the0x37 is the first 6 bits of the input. The 0x37'th character in theCredpMarshalChar array is “3”. Hence, the string above starts out as“@@B3”. This is simply repeated until there are no more bytes in theinput. As needed, zero bits are logically concatenated to the end of theinput string as padding to ensure that a multiple of 6 bits areavailable to be processed.

[0070] The following (“CredpMarshalChar” and CredpMarshalByte”) areexamples of pseudocode for generating a marshaled credential:CredMarshalChar( IN OUT LPWSTR *Current, IN ULONG Byte ) /*++ RoutineDescription: This routine marshalls 6 bits into a buffer. Arguments:Current - On input, points to a pointer of the current location in themarshaled buffer. On output, is modified to point to the next availablelocation in the marshaled buffer. Byte - Specifies the 6 bits to marshalReturn Values: None. −−*/ { UCHAR MappingTable[] = { ‘A’, ‘B’, ‘C’, ‘D’,‘E’, ‘F’, ‘G’, ‘H’, ‘I’, ‘J’, ‘K’, ‘L’, ‘M’, ‘N’, ‘O’, ‘P’, ‘Q’, ‘R’,‘S’, ‘T’, ‘U’, ‘V’, ‘W’, ‘X’, ‘Y’, ‘Z’, ‘a’, ‘b’, ‘c’, ‘d’, ‘e’, ‘f’,‘g’, ‘h’, ‘i’, ‘j’, ‘k’, ‘l’, ‘m’, ‘n’, ‘o’, ‘p’, ‘q’, ‘r’, ‘s’, ‘t’,‘u’, ‘v’, ‘w’, ‘x’, ‘y’, ‘z’, ‘0’, ‘1’, ‘2’, ‘3’, ‘4’, ‘5’, ‘6’, ‘7’,‘8’, ‘9’, ‘#’, ‘−’ }; if ( Byte > 0x3F ) { *(*Current) = ‘=’; } else {*(*Current) = MappingTable[Byte]; } (*Current)++; } CredMarhsalBytes( INOUT LPWSTR *Current, IN LPBYTE Bytes, IN ULONG ByteCount ) /*++ RoutineDescription: This routine marshals bytes into a buffer. Arguments:Current - On input, points to a pinter of the current location in themarshaled buffer. On output, is modified to point to the next availablelocation in the marshaled buffer. Bytes - Specifies the buffer tomarshal ByteCount - Specifies the number of bytes to marshal ReturnValues: None. −−*/ { ULONG i; union { BYTE ByteValues[3]; struct { ULONGBits1 :6; ULONG Bits2 :6; ULONG Bits3 :6; ULONG Bits4 :6; } BitValues; }Bits; // // Loop through marshaling 3 bytes at a time. // for ( i=0;i<ByteCount; i+=3 ) { ULONG BytesToCopy; // // Grab up to 3 bytes fromthe input buffer. // BytesToCopy = min ( 3, ByteCount−i ); if (BytesToCopy != 3 ) { RtlZeroMemory( Bits.ByteValues, 3); }RtlCopyMemory( Bits.ByteValues, &Bytes[i], BytesToCopy ); // // Marshalthe first twelve bits // CredMarshalChar( Current, Bits.BitValues.Bits1); CredMarshalChar( Current, Bits.BitValues.Bit2 ); // // Optionallymarshal the next bits. // if ( BytesToCopy > 1 ) { CredpMarshalChar(Current, Bits.BitValues.Bits3 ); if ( BytesToCopy > 2 ) {CredpMarshalChar( Current, Bits.BitValues.Bits4 ); } } } }

[0071] Blind Courier

[0072] The exemplary cred-manager provides a mechanism where theapplication is only a “blind courier” of credentials between the TCB 150and the domain and/or domain resource. The manager fully insulates theapplication from “read” access to the credentials. Therefore, theapplication never knows the actual credential. If a new credential needsto be created, the applications bands this process to the credentialmanagement module 152 to handle.

[0073] If a legacy application requests a credential for a specifiedresource/network, the exemplary cred-manager passes it a “marshaled”credential. Thus, the application never sees the true high-levelcredential. The exemplary cred-manager makes the high-level credentialavailable to the SSPs. The SSPs process the high-level credential asthough it were passed directly in by the application program.

[0074] A Methodological Implementation of the Exemplary Cred-Manager

[0075]FIG. 3 shows methodological implementation of the exemplarycred-manager performed within the credential management architecture 100(or some portion thereof). This methodological implementation may beperformed in software, hardware, or a combination thereof. Thismethodological implementation assumes that the application utilizes theexemplary cred-manager is a legacy application.

[0076] At 310 of FIG. 3, a user attempts to access protected resource(such as a secure Web site, a printer, a server, etc.) using anapplication, such as a Web browser. Such a resource may be part ofauthentication domain, such as domains 110 a-c of FIG. 1. Step 310 isimplemented by an application program attempting an authentication. Itdoes that by using the SSP. The SSP will ask the cred manager if thereis already a credential for the resource. If so, that credential will beused. If that credential works, process ends (not shown in FIG. 3) anddoes not proceed to step 312.

[0077] At 312 of FIG. 3, the attempt fails with accessdenied—authentication required. With the exemplary cred-manager, theuser never sees this denial. At 314, the application asks the exemplarycred-manager for a user credential to be used to authenticate the userto the resource. More specifically, the application may call acredential-user-interface APIs (such as CredUI APIs) to accomplish thistask. Alternatively, the application may seek the appropriate credentialbefore actually attempting access and receiving a denial. These steps(310-314) refers to generic credentials rather than domain credentials.

[0078] At 316, the exemplary cred-manager seeks specific credential forthe resource, or a credential for the authentication domain of theresource (as defined by the application protocol). More specifically,the CredUI API may ask credential management module for such acredential.

[0079] At 320 of FIG. 3, if a credential is found, it is “marshaled”.When marshaled, a high-level credential is converted into a low-levelcredential (such as username and password). At 322, the found credentialis returned to the application in the form of the “marshaled” usernameand password. At 324, the application authenticates the marshaledcredential. It may do this by passing the marshaled credential to legacyauthentication APIs. The application acts as a “blind courier” becauseit never sees the true high-level credential.

[0080] At 330, if no suitable credential is found, the user is promptedto supply a credential. At 332, the user provides (e.g., by typing it ina dialog box) a credential to be associated with resource. Again, theapplication acts as a “blind courier” because it never sees the truehigh-level credential.

[0081] At 340, the new credential is provided to the resource so thatthe user can access such resource. The user is asked if he wants to savethe credential. If so, the credential is written into credentialmanager. This “harvested” credential is then available for use by anyother application being run by this user. If the user does not want tosave the credential, the credential is not written into credentialmanager. In both cases, the credential is “blind couriered” back to theapplication.

[0082] In one implementation, a credential—unwritten to the credmanager—is blind couriered by saving it in a submodule of cred managerin a place where it cannot be referenced or used by other applicationsof this user.

[0083] With respect to “saved” credentials, if the resource is a memberof an authentication domain, the credential may be used authenticate tothe domain and to any resource of that domain. Otherwise, if theresource is not a member of an authentication domain, the credential isspecifically associated with the resource and used to access thatresource.

[0084] At 350, the new credential is stored in the user's associatedencrypted credential database. Of course, this step only applies to“saved” credentials.

[0085] This process may be repeated and some steps may occurconcurrently.

[0086] Single Sign-On

[0087] Unlike conventional credential managers, the exemplarycred-manager employs a single sign-on mechanism that automatically andtransparently provides credentials for accessing the multiple resourceswithin an authorized domain to the multiple resources. The exemplarycred-manager is domain-authentication aware. In other words, anauthentication by one resource in a trust network enables automatic(without manual user input) authenticated access to all resources inthat trust network.

[0088] Traditional methods of providing single sign-on usually requirethat a distinct credential be used for each unique network, networkresource, or network application that requires authentication. This canresult in the storage of large numbers of user credentials that must besecurely maintained for the user and managed.

[0089] However, many resources are in a common authentication domain(i.e., network) and can be identified as such. The exemplarycred-manager identifies resources within a common authentication domainand it automatically provides the appropriate credential (which is oftenthe same credential) as necessary for each resource within a domain thatthe user has already “signed on.” As a result, a single credential canbe used to authenticate to a group of resources thereby eliminating theneed for multiple identical credentials.

[0090] Another Methodological Implementation of the ExemplaryCred-Manager

[0091]FIG. 4 shows another methodological implementation of theexemplary cred-manager performed within the credential managementarchitecture 100 (or some portion thereof). This methodologicalimplementation may be performed in software, hardware, or a combinationthereof. With this methodological implementation, the applications maybe legacy applications or otherwise.

[0092] At 405 of FIG. 4, a user sign-on to a protected domain using adomain credential for that domain At 410, the user attempts to access aresource of that protected domain. At 412, the attempt fails with accessdenied—authentication required. Conventionally, the user must manuallyprovide her domain credential again to access this domain resource.However, with the exemplary cred-manager, the user never sees thisdenial. Instead, the authentication to this resource is handledautomatically by the exemplary cred-manager. At 414 of FIG. 4, the SSPasks the exemplary cred-manager for a domain credential to be used toauthenticate the user to the domain. At 416, the exemplary cred-managerseeks the specific domain credential for the domain. At 420, when such acredential is found, it is sent to the resource to authenticate the userto the resource. Now, the user is authenticated to access that resource.

[0093] This process may be repeated as necessary (e.g., for each domainbeing accessed) and some steps may occur concurrently.

[0094] Generally, when first connecting to the resource, the serverhosting the resource identifies the environment (such as the domain) inwhich that the resource is. The SSP then asks cred manager for theappropriate credentials and silently uses them. The application is neverinvolved. In an alternative implementation, the exemplary cred-managernever uses two sets of credentials (the default credentials in steps405-412 and the ones from cred manager the remaining steps). Theexemplary cred-manager simply selects the “correct” set of credentialsfrom the beginning.

[0095] Trust Extension

[0096] Unlike conventional credential managers, the exemplarycred-manager extends this awareness to other trust networks that trusteach other. In other words, once a client is authorized on one network,its authorization will automatically be extended to other trustednetworks.

[0097] For example, assume that the user of computer 130 hassuccessfully signed onto domain 110 b of FIG. 1. Assume that there is atrust relationship between domain 110 b and 110 a. Using the exemplarycred-manager, the user may utilize resources of domain 110 a withoutmanually signing-on to domain 110 a. The user's authorization in domain110 b is sufficient to access 110 a.

[0098] Concurrent Authentications on Multiple Domains

[0099] The exemplary cred-manager provides a mechanism for concurrentauthentications with multiple independent networks (e.g., domains) maybe established and maintained.

[0100] For example, assume that the user of computer 130 hassuccessfully signed onto domain 110 c of FIG. 1. The user may access thedomain resources of domain 110 c. Conventionally, the user may notsign-on to a separate domain, such as domain 110 d. Conventionally, theuser may not be signed-on to multiple domains concurrently. However,using the exemplary cred-manager, the user may be concurrently signed-onto multiple domains, such as domain 110 c and 110 d.

[0101] Additional Implementation Details

[0102] Applications interact with the credential management systemthrough credential-user-interface APIs (such as CredUI APIs). The modelfor identifying what credentials are needed from a user follows a“harvesting model.” When a protected resource is accessed, that accesscan fail until the user is able to supply a valid credential that can beused to successfully authenticate the user.

[0103] When a user attempts to access resources that requireauthentication, the user is prompted to supply credentials in order toaccess that resource. Each different application that does this has adifferent mechanism to prompt the user for a credential and save it forthe user.

[0104] This credential is supplied through the CredUI components arestored the encrypted credential databases, such as databases 154 a-c ofFIG. 1. When the system software requires authentication, a securitysupport provider (SSP) is used to authenticate the user employing anapplication specific protocol. The credential for the user is accessibleto the SSP because the SSP is also part of the TCB. Since the credentialis also associated with the authentication domain of the resource andnot just the resource, a single credential can be used to authenticateto multiple resources. An example authentication domain can be aKerberos realm or a Windows® NT® domain.

[0105] A legacy application uses the CredUI API to return what appearsto be a username and password. Instead, what is returned as a usernameand password is actually a “handle” that contains a marshaled version ofthe specific high-level user credential. This marshaled credentialappears to the application and intervening APIs as a usemame andpassword.

[0106] Credentials may be persisted in a local database on the computerand/or distributed database. Thus, encrypted credential databases 154a-c may be located on the local computer 130 or on a network.

[0107] An application may prompt for a password before trying to accessa resource or after trying to access the resource and getting anauthentication or access failure.

[0108] After an authentication attempt, an application may get a list ofall the potential target names for the resource. Some or all of thefollowing names for the target may be returned: the Netbios server nameof the machine, the DNS server name of the machine, the Netbios domainname of the domain the machine belongs to, the DNS domain name of thedomain the machine belongs to, the DNS tree name of the tree the machinebelongs to, and the name of the package that collected the information.Any piece of this information may be missing if the information does notapply to the target machine. For instance, a machine that is a member ofa workgroup does not have a Netbios domain name.

[0109] An application uses this information to determine the storedcredentials that match the target information. The application handlesthe case where there is no credential set for the logon session or thereare no matching credentials. If there are no matching credentials, thedefault credentials for the logon session are implied.

[0110] An application also uses this information to determine the targetname of the credential to be saved in cred manager.

[0111] Exemplary Scenarios

[0112] Scenario 1—Resources in an Untrusting Domain

[0113] A user logged on to a computer with domain accounts (such asuser@company.com). The user attempts to access a file share in anuntrusting forest (such as “xyz/svr.abc.com”). The user has an account(e.g., user@company.com) in the untrusting forest that must be used toaccess this file share. When the user first attempts to connect to thefile share (e.g., using “net use\\svr.abc.com\stuff”), the user'sdefault domain credentials are tried first. These do not work; however,the server did identify the authentication domain that it is in.Therefore, the user is prompted for credentials for domain abc.com. Thecredentials are in the form of a username and password. In this case,the user specified “usera@company.com” for the username and types thepassword for this account.

[0114] The application attempts to authenticate the user to the“abc.com” domain using the supplied credentials. The target name of thestored credential is controlled by the target information that'savailable. Not based on the authentication attempt. For example, if thetarget information contains only the NetBIOS server name, then thecredentials stored will be for that server only. If the targetinformation contains only the DNS server name and the DNS domain name,then the credential stored will be for all servers whose name end in“DNS domain name”. Whenever a user attempts to access the resourceagain, the appropriate credentials will be used to authenticate theuser.

[0115] Scenario 2—Accessing a Web Site with a Password

[0116] A user attempts to access a Web site. This web site requires ausername and password before access is allowed (it can be HTTP basicauthorization or a forms-based logon). When the Web browser detects thatthis is a logon request, it will request a user credential for thespecified Web resource. If a realm (“realm” is an optional valuespecified in the WWW-Authenticate header) is specified by the Web site,a credential is requested for that particular realm. If no realmspecific credential is found, the user is switched to the secure prompt.The user will provide the username and password to access the realm. Ifthe user checks the “Save Credential” box, then this credential will beused whenever a credential is needed for this realm. If the realm isn'tspecified, then a specific credential for this URL is saved.

[0117] Scenario 3—Accessing a Web Site with a User Certificate

[0118] When a Web site requests a user certificate for access, the Webbrowser may request a certificate for the Web site from the exemplarycred-manager. If the exemplary cred-manager has no saved credentials forthis site, it will prompt to have the user select a certificate. Thiscertificate choice is associated to the resource. Any choice that theuser makes will be associated with the resource and used the next time.

[0119] Exemplary Computing System and Environment

[0120]FIG. 5 illustrates an example of a suitable computing environment900 within which an exemplary cred-manager, as described herein, may beimplemented (either fully or partially). The computing environment 900may be utilized in the computer and network architectures describedherein.

[0121] The exemplary computing environment 900 is only one example of acomputing environment and is not intended to suggest any limitation asto the scope of use or functionality of the computer and networkarchitectures. Neither should the computing environment 900 beinterpreted as having any dependency or requirement relating to any oneor combination of components illustrated in the exemplary computingenvironment 900.

[0122] The exemplary cred-managermay be implemented with numerous othergeneral purpose or special purpose computing system environments orconfigurations. Examples of well known computing systems, environments,and/or configurations that may be suitable for use include, but are notlimited to, personal computers, server computers, thin clients, thickclients, hand-held or laptop devices, multiprocessor systems,microprocessor-based systems, set top boxes, programmable consumerelectronics, network PCs, minicomputers, mainframe computers,distributed computing environments that include any of the above systemsor devices, and the like.

[0123] The exemplary cred-manager may be described in the generalcontext of computer-executable instructions, such as program modules,being executed by a computer. Generally, program modules includeroutines, programs, objects, components, data structures, etc. thatperform particular tasks or implement particular abstract data types.The exemplary cred-manager may also be practiced in distributedcomputing environments where tasks are performed by remote processingdevices that are linked through a communications network. In adistributed computing environment, program modules may be located inboth local and remote computer storage media including memory storagedevices.

[0124] The computing environment 900 includes a general-purposecomputing device in the form of a computer 902. The components ofcomputer 902 can include, by are not limited to, one or more processorsor processing units 904, a system memory 906, and a system bus 908 thatcouples various system components including the processor 904 to thesystem memory 906.

[0125] The system bus 908 represents one or more of any of several typesof bus structures, including a memory bus or memory controller, aperipheral bus, an accelerated graphics port, and a processor or localbus using any of a variety of bus architectures. By way of example, sucharchitectures can include an Industry Standard Architecture (ISA) bus, aMicro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, aVideo Electronics Standards Association (VESA) local bus, and aPeripheral Component Interconnects (PCI) bus also known as a Mezzaninebus.

[0126] Computer 902 typically includes a variety of computer readablemedia. Such media can be any available media that is accessible bycomputer 902 and includes both volatile and non-volatile media,removable and non-removable media.

[0127] The system memory 906 includes computer readable media in theform of volatile memory, such as random access memory (RAM) 910, and/ornon-volatile memory, such as read only memory (ROM) 912. A basicinput/output system (BIOS) 914, containing the basic routines that helpto transfer information between elements within computer 902, such asduring start-up, is stored in ROM 912. RAM 910 typically contains dataand/or program modules that are immediately accessible to and/orpresently operated on by the processing unit 904.

[0128] Computer 902 may also include other removable/non-removable,volatile/non-volatile computer storage media. By way of example, FIG. 5illustrates a hard disk drive 916 for reading from and writing to anon-removable, non-volatile magnetic media (not shown), a magnetic diskdrive 918 for reading from and writing to a removable, non-volatilemagnetic disk 920 (e.g., a “floppy disk”), and an optical disk drive 922for reading from and/or writing to a removable, non-volatile opticaldisk 924 such as a CD-ROM, DVD-ROM, or other optical media. The harddisk drive 916, magnetic disk drive 918, and optical disk drive 922 areeach connected to the system bus 908 by one or more data mediainterfaces 926. Alternatively, the hard disk drive 916, magnetic diskdrive 918, and optical disk drive 922 can be connected to the system bus908 by one or more interfaces (not shown).

[0129] The disk drives and their associated computer-readable mediaprovide non-volatile storage of computer readable instructions, datastructures, program modules, and other data for computer 902. Althoughthe example illustrates a hard disk 916, a removable magnetic disk 920,and a removable optical disk 924, it is to be appreciated that othertypes of computer readable media which can store data that is accessibleby a computer, such as magnetic cassettes or other magnetic storagedevices, flash memory cards, CD-ROM, digital versatile disks (DVD) orother optical storage, random access memories (RAM), read only memories(ROM), electrically erasable programmable read-only memory (EEPROM), andthe like, can also be utilized to implement the exemplary computingsystem and environment.

[0130] Any number of program modules can be stored on the hard disk 916,magnetic disk 920, optical disk 924, ROM 912, and/or RAM 910, includingby way of example, an operating system 926, one or more applicationprograms 928, other program modules 930, and program data 932. Each ofsuch operating system 926, one or more application programs 928, otherprogram modules 930, and program data 932 (or some combination thereof)may include an embodiment of a credential management architecture,trusted computing base (TCB), a credential management module, acredential database, a marshaller, a request obtainer, a credentialretriever, a credential returner, and an API.

[0131] A user can enter commands and information into computer 902 viainput devices such as a keyboard 934 and a pointing device 936 (e.g., a“mouse”). Other input devices 938 (not shown specifically) may include amicrophone, joystick, game pad, satellite dish, serial port, scanner,and/or the like. These and other input devices are connected to theprocessing unit 904 via input/output interfaces 940 that are coupled tothe system bus 908, but may be connected by other interface and busstructures, such as a parallel port, game port, or a universal serialbus (USB).

[0132] A monitor 942 or other type of display device can also beconnected to the system bus 908 via an interface, such as a videoadapter 944. In addition to the monitor 942, other output peripheraldevices can include components such as speakers (not shown) and aprinter 946 which can be connected to computer 902 via the input/outputinterfaces 940.

[0133] Computer 902 can operate in a networked environment using logicalconnections to one or more remote computers, such as a remote computingdevice 948. By way of example, the remote computing device 948 can be apersonal computer, portable computer, a server, a router, a networkcomputer, a peer device or other common network node, and the like. Theremote computing device 948 is illustrated as a portable computer thatcan include many or all of the elements and features described hereinrelative to computer 902.

[0134] Logical connections between computer 902 and the remote computer948 are depicted as a local area network (LAN) 950 and a general widearea network (WAN) 952. Such networking environments are commonplace inoffices, enterprise-wide computer networks, intranets, and the Internet.

[0135] When implemented in a LAN networking environment, the computer902 is connected to a local network 950 via a network interface oradapter 954. When implemented in a WAN networking environment, thecomputer 902 typically includes a modem 956 or other means forestablishing communications over the wide network 952. The modem 956,which can be internal or external to computer 902, can be connected tothe system bus 908 via the input/output interfaces 940 or otherappropriate mechanisms. It is to be appreciated that the illustratednetwork connections are exemplary and that other means of establishingcommunication link(s) between the computers 902 and 948 can be employed.

[0136] In a networked environment, such as that illustrated withcomputing environment 900, program modules depicted relative to thecomputer 902, or portions thereof, may be stored in a remote memorystorage device. By way of example, remote application programs 958reside on a memory device of remote computer 948. For purposes ofillustration, application programs and other executable programcomponents such as the operating system are illustrated herein asdiscrete blocks, although it is recognized that such programs andcomponents reside at various times in different storage components ofthe computing device 902, and are executed by the data processor(s) ofthe computer.

[0137] Computer-Executable Instructions

[0138] An implementation of an exemplary cred-manager may be describedin the general context of computer-executable instructions, such asprogram modules, executed by one or more computers or other devices.Generally, program modules include routines, programs, objects,components, data structures, etc. that perform particular tasks orimplement particular abstract data types. Typically, the functionalityof the program modules may be combined or distributed as desired invarious embodiments.

[0139] Exemplary Operating Environment

[0140]FIG. 5 illustrates an example of a suitable operating environment900 in which an exemplary cred-manager may be implemented. Specifically,the exemplary cred-manager(s) described herein may be implemented(wholly or in part) by any program modules 928-930 and/or operatingsystem 926 in FIG. 5 or a portion thereof.

[0141] The operating environment is only an example of a suitableoperating environment and is not intended to suggest any limitation asto the scope or use of functionality of the exemplary cred-manager(s)described herein. Other well known computing systems, environments,and/or configurations that are suitable for use include, but are notlimited to, personal computers (PCs), server computers, hand-held orlaptop devices, multiprocessor systems, microprocessor-based systems,programmable consumer electronics, wireless phones and equipments,general- and special-purpose appliances, application-specific integratedcircuits (ASICs), network PCs, minicomputers, mainframe computers,distributed computing environments that include any of the above systemsor devices, and the like.

[0142] Computer Readable Media

[0143] An implementation of an exemplary cred-manager may be stored onor transmitted across some form of computer readable media. Computerreadable media can be any available media that can be accessed by acomputer. By way of example, and not limitation, computer readable mediamay comprise “computer storage media” and “communications media.”

[0144] “Computer storage media” include volatile and non-volatile,removable and non-removable media implemented in any method ortechnology for storage of information such as computer readableinstructions, data structures, program modules, or other data. Computerstorage media includes, but is not limited to, RAM, ROM, EEPROM, flashmemory or other memory technology, CD-ROM, digital versatile disks (DVD)or other optical storage, magnetic cassettes, magnetic tape, magneticdisk storage or other magnetic storage devices, or any other mediumwhich can be used to store the desired information and which can beaccessed by a computer.

[0145] “Communication media” typically embodies computer readableinstructions, data structures, program modules, or other data in amodulated data signal, such as carrier wave or other transportmechanism. Communication media also includes any information deliverymedia.

[0146] The term “modulated data signal” means a signal that has one ormore of its characteristics set or changed in such a manner as to encodeinformation in the signal. By way of example, and not limitation,communication media includes wired media such as a wired network ordirect-wired connection, and wireless media such as acoustic, RF,infrared, and other wireless media. Combinations of any of the above arealso included within the scope of computer readable media.

[0147] Exemplary Implementation Employing APIs

[0148] The following describes application-programming interfaces (APIs)that may be used for an implementation of the exemplary cred-manager.The APIs may be part of the credential management module 152 of FIG. 1.

[0149] Credential Management User Interface (CredUI)

[0150] The CredUI provides a consistent user experience for prompting auser for application user credentials. It helps minimize prompting theuser for credentials once they have provided a credential for aresource. Typically, the user specifies a credential once(username/password) and it is used without prompting the user again.

[0151] In all cases where a user is prompted for credentials, the userwill not be prompted again for the duration of the logon session. Anycredentials, which have been saved under a “don't ask me again” policy,will be persistent across logon sessions.

[0152] APIs and Associated Structures

[0153] CredUI Info CREDUI _INFO Struct typedef struct { DWORD dwVersion;HWND hWnd; PCTSTR pszMessageText; PCTSTR pszCaptionText; HBITMAPhbmBitmap; } CREDMGR_UI_INFO;

[0154] This structure is filled out by an application when callingCredMgr UI APIs.

[0155] For this structure:

[0156] hWnd specifies the parent window of any UI dlg that results fromthe call.

[0157] The dlg will be app modal. If hWnd is NULL, any UI will have thedesktop as its parent.

[0158] pszMessageText is any application specific message that is placedin the UI. An application may use this to inform the user of the contextin which the credentials would be used. If NULL, the system will supplygeneric text.

[0159] pszCaptionText is any application specific caption that is givento the dialog. If NULL, the system will supply a generic caption.

[0160] hbmBitmap is a handle to an application specific bitmap todisplay in the dialog. This is used for branding purposes. If NULL, thesystem will supply a generic bitmap.

[0161] CredUIPromptForCredentials( ) CredIUPromptForCredentials() DWORD*WINAPI CredUIPromptForCredentials{ PCREDUI_INFO * pUIInfo, PCTSTRpszTargetName, PCtxtHandle phContext, DWORD dwAuthFlags, PCTSTRpszUserName, ULONG ulUserNameMaxChars, PCTSTR pszPassword, ULONGulPasswordMaxChars, PBOOL pfSave, *DWORD dwFlags );

[0162] This API is called when an application needs the user to inputcredentials, either domain or generic. The credentials entered by theuser may be returned to the application.

[0163] Parameters:

[0164] pUIInfo carries information about the calling application asdefined under the CREDUI_INFO struct section above. If this parameter isNULL, the system will display any resulting UI with the Desktop as itsparent hwnd, using generic information text.

[0165] pszTargetName is the target the application was trying to reach.If phContext is NULL, this value will be used to query CredMgr forextended target information. CredMgr will have temporarily stored theextended target info in a CREDENTIAL_TARGET_INFORMATION structureassociated with the TargetName that came from the SSP (which is the sametarget name that the app supplies here).

[0166] phContext is the context returned from a call toInitializeSecurityContext( ). This is used by the CredMgr UI both todetermine information about any credentials found by the ISC call, andto return information about the user's selections in the UI. IfCredMgrGetCredentials( ) returns SEC_E_OK the application should passthis context back into another call to ISC. If this value is NULL,CredMgr UI will use the szTargetName to determine extended target info.

[0167] dwAuthFlags is used to specify why the credential dialog isneeded. A caller may pass this optional Windows error parameter,returned by another authentication call, to allow CredUI to special-casecertain errors.

[0168] pszUserName is the user name for the creds. The CredMgr UI willwrite the user-supplied name to this buffer, copying a maximum ofulUserNameMaxChars characters. If the string passed by the applicationis non-zero length, the UserName field of the dlg will be prefilled withthe string. This parameter may be NULL, if the application does notrequire the credentials to be returned.

[0169] ulUserNameMaxChars is the maximum number of characters that maybe copied to pszUserName.

[0170] pszPassword is the password for the creds. The CredMgr UI willwrite the user-supplied password to this buffer, copying a maximum ofulPasswordMaxChars characters. If the string passed by the applicationis non-zero length, the password field of the dlg will be prefilled withthe string. This parameter may be NULL, if the application does notrequire the credentials to be returned.

[0171] ulPasswordMaxChars is the maximum number of characters that maybe copied to szPassword.

[0172] pfSave is an out parameter used if theCREDUI_FLAGS_SHOW_SAVE_CHECK_BOX is set. It will return the state of thesave checkbox when the user hits Ok to the dialog. This is used ifapplications which to save the credentials under their own storagemechanism.

[0173] dwFlags is used by the app to specify behavior of the call. Validvalues and their meaning are:

[0174] CREDUI_FLAGS_INCORRECT_PASSWORD—Notify the user of insufficientcredentials by displaying the “Logon unsuccessful” balloon tip.

[0175] CREDUI_FLAGS_EXCLUDE_CERTIFICATES—Regardless of the target info,do not display certificates or smart cards in the combo box.

[0176] CREDUI_FLAGS_DO_NOT_PERSIST—Do not store credentials in credmgror display persistence check boxes. You may passCREDUI_FLAGS_SHOW_SAVE_CHECK_BOX to display the save check box only, andthe result is returned in the save out parameter.

[0177] CREDUI_FLAGS_REQUEST_ADMINISTRATOR—Populate the combo box withlocal Administrators only. On Personal SKU, this will filters out thewell-known Administrator account.

[0178] CREDUI_FLAGS_REQUIRE_CERTIFICATE—Populate the combo box withcertificates and smart cards only. Do not allow a user name to beentered.

[0179] CREDUI_FLAGS_SHOW_SAVE_CHECK_BOX—Shows the “Save” check box andreturns TRUE in the pfSave out parameter if the check box is checked,otherwise FALSE. CREDUI_FLAGS_DO_NOT_PERSIST must be specified to usethis flag.

[0180] CREDUI_FLAGS_ALWAYS_SHOW_UI—Always show the CredUI. It isimplicitly enabled if the CREDUI_FLAGS_DO_NOT_PERSIST flag is specified.If this is not enaled, if the cred mgr finds a saved credential for theuser and it can be used without verification, then no UI will be popped.

[0181] CREDUI_FLAGS_GENERIC_CREDENTIALS—The credentials entered by theuser should be considered generic credentials. If not present, thecredentials will be considered domain credentials, and saved to cred mgras such.

[0182] Return Values:

[0183] SEC_E_OK User it OK button, pszUserName and pszPassword willcontain the values entered in the appropriate edit box fields.

[0184] SEC_E_NO_CREDENTIALS User hit Cancel button, pszUserName andpszPassword have not changed.

[0185] Marshaling APIs:

[0186] The CERT_CREDENTIAL_INFO structure describes a reference to acertificate. #define CERT_HASH_LENGTH 20 typedef struct_CERT_CREDENTIAL_INFO { ULONG cbSize; UCHAR rgbHashOfCert[CERT_HASH_LENGTH]; } CERT_CREDENTIAL_INFO, *PCERT_CREDENTIAL_INFO;

[0187] CERT_CREDENTIAL_INFO Field Definitions:

[0188] cbSize—Specifies the total size of the structure. This fieldshould be set to sizeof(CERT_CREDENTIAL_INFO). When reading thestructure, it may be a larger value in the future indicating a newerversion of the structure.

[0189] RgbHashOfCert—Specifies the SHA-1 hash of the certificate beingreferenced.

[0190] The CRED_MARSHAL_TYPE enumeration describes the different typesof credential that can be marshaled by CredMarshalCredential orunmarshaled by CredUnmarshalCredential. typedef enum _CRED_MARSHAL_TYPE{ CertCredential = 1 } CRED_MARSHAL_TYPE, *PCRED_MARSHAL_TYPE;

[0191] CRED_MARSHAL_TYPE Values:

[0192] CertCredential—Specifies that the credential is a certificatereference described by a CERT_CREDENTIAL_INFO structure.

[0193] The CredMarshalCredential API marshals a credential into a textstring.

[0194] Historically, many API (for instance, NetUseAdd) take a domainname, username and password as credentials. Such API cannot acceptcredentials that are certificates. The CredMarshalCredential APIconverts such credentials into a form that can be passed into these API.

[0195] The marshaled credential should be passed as the user name stringto any API that is currently passed credentials. The domain name (ifapplicable) passed to that API should be passed as NULL or empty. Forcertificate credentials, the PIN of the certificate should be passed tothat API as the password.

[0196] The caller should not modify or print the marshaled credential.The returned value can be freely converted between the Unicode, ANSI,and OEM character sets. The string is case sensitive.

[0197] The CredMarshalCredential API is available in ANSI and UNICODEversions. BOOL CredMarshalCredential ( IN CRED_MARCHAL_TYPE CredType, INPVOID Credential, OUT LPTSTR *MarshaledCredential )

[0198] Parameters:

[0199] CredType—Specifies the type of credential to marshal.

[0200] Credential—Specifies the credential to marshal.

[0201] If CredType is CertCredential, then Credential points to aCERT_CREDENTIAL_INFO structure.

[0202] MarshaledCredential—Returns a text string containing themarshaled credential. The caller should free the returned buffer usingCredFree.

[0203] On success, TRUE is returned. On failure, FALSE is returned.

[0204] GetLastError( ) may be called to get a more specific status code.The following status codes may be returned:

[0205] Error Codes:

[0206] ERROR_INVALID_PARAMETER—CredType is invalid

CONCLUSION

[0207] Although the invention has been described in language specific tostructural features and/or methodological steps, it is to be understoodthat the invention defined in the appended claims is not necessarilylimited to the specific features or steps described. Rather, thespecific features and steps are disclosed as preferred forms ofimplementing the claimed invention.

1. A method for accommodating a legacy application, the methodcomprising: obtaining a request for a high-level credential from alegacy application; marshalling the requested credential; returning themarshaled credential to the application.
 2. A method as recited in claim1 further comprising, after the obtaining, seeking the requestedcredential in a database of credentials.
 3. A method as recited in claim1, wherein a high-level credential is a credential selected from a groupcomposed of X.509 Certificates and bio-metrics.
 4. A method as recitedin claim 1, wherein the marshaled credentials appear to be aconventional username/password pair to the legacy application.
 5. Amethod as recited in claim 1, wherein marshalling comprises: obtainingthe requested high-level credential; pickling the requested high-levelcredential to generate a low-level credential that represents therequested high-level credential while appearing to be a conventionalusername/password pair to the legacy application.
 6. A method as recitedin claim 1, wherein the legacy application never has access to thehigh-level credential.
 7. A computer-readable medium havingcomputer-executable instructions that, when executed by a computer,perform a method as recited in claim
 1. 8. In a computing environmentwhere processes have a provision for low-level credentials but have noprovision for high-level credentials, a method for accommodating suchprocesses comprising: obtaining a request for a credential from aprocess, wherein the requested credential is a high-level credential;retrieving the requested credential from a database; converting therequested high-level credential into a format approximating a low-levelcredential and representative of the requested high-level credential;returning the converted credential to the process.
 9. A method asrecited in claim 8, wherein a high-level credential is a credentialselected from a group composed of X.509 Certificates and bio-metrics.10. A method as recited in claim 8, wherein the converted credentialsappear to be a conventional username/password pair to the process.
 11. Amethod as recited in claim 8, wherein the process never has access tothe high-level credential.
 12. A computer-readable medium havingcomputer-executable instructions that, when executed by a computer,perform a method as recited in claim
 8. 13. A method for authenticatinga user to a network, the method comprising: obtaining a request for acredential to authenticate the user to access a resource within thenetwork, wherein the resource requires an appropriate credential beforethe user may access the resource; locating the appropriate credential;returning the appropriate credential to the resource within the network,so that the resource allows the user to access such resource; whereinthe obtaining, locating, and returning are performed without userinteraction so that the user need not be aware that such steps are beingperformed.
 14. A method as recited in claim 13 further comprisingrepeating the obtaining, locating, and returning for a different networkthat is authenticated using a different credential.
 15. Acomputer-readable medium having computer-executable instructions that,when executed by a computer, perform a method as recited in claim 13.16. A method for concurrently accessing a first resource on a firstnetwork and a second resource on a second network, the methodcomprising: first obtaining a first request for a first credential toauthenticate a user to access a first resource of the first network,wherein the first resource requires an appropriate first credentialbefore the user may access the first resource; first locating theappropriate first credential; first returning the appropriate firstcredential to the first resource of the first network, so that the firstresource allows the user to access the first resource; wherein the firstobtaining, locating, and returning are performed without userinteraction so that the user need not be aware that such steps are beingperformed; second obtaining a second request for a second credential toauthenticate a user to access a second resource of the second network,wherein the second resource requires an appropriate second credentialbefore the user may access the second resource; second locating theappropriate second credential; second returning the appropriate secondcredential to the second resource of the second network, so that thesecond resource allows the user to access the second resource; whereinthe second obtaining, locating, and returning are performed without userinteraction so that the user need not be aware that such steps are beingperformed
 17. A computer-readable medium having computer-executableinstructions that, when executed by a computer, performs the method asrecited in claim
 16. 18. A credential management architecture,comprising: a trusted computing base (TCB) that has fill access topersisted credentials, the TCB being configured to interact with anuntrusted computing layer (UTCL) that accesses the persisted credentialsvia the TCB; the TCB comprises: a credential management moduleconfigured to receive requests from the UTCL for a credential for aresource, the credential being associated with a user; a credentialdatabase associated with the user, wherein credentials are persistedwithin the database; the credential management module being configuredto retrieve credentials from the database.
 19. An architecture asrecited in claim 18, wherein credential management module is furtherconfigured to marshal a requested credential and return the marshaledcredential to the UTCL.
 20. An architecture as recited in claim 18,wherein the marshaled credentials appear to be a conventionalusername/password pair to the UTCL.
 21. A computer-readable mediumhaving computer-executable instructions that, when executed by acomputer, employ an architecture as recited in claim
 18. 22. Anoperating system embodied on a computer-readable medium havingcomputer-executable instructions that, when executed by a computer,employ an architecture as recited in claim
 18. 23. An apparatuscomprising: a processor; a marshaler executable on the processor to:obtain a high-level credential; convert the high-level credential togenerate a representation of the high-level credential that is formattedas a low-level credential so that it appears to be a conventionalusername/password pair.
 24. A low-level-credential-applicationaccommodation system comprising: a request obtainer configured to obtaina request for a high-level credential from alow-level-credential-application; a credential retriever configured toretrieve the requested credential from a database of credentials; amarshaller configured to marshal the requested credential and return themarshaled credential to the low-level-credential-application.
 25. Asystem as recited in claim 24, wherein a high-level credential is acredential selected from a group composed of X.509 Certificates andbio-metrics.
 26. A system as recited in claim 24, wherein the marshaledcredentials appear to be a conventional username/password pair to thelegacy application.
 27. A system as recited in claim 24, whereinmarshaller is further configured to convert the requested high-levelcredential to generate a low-level credential that represents therequested high-level credential while appearing to be a conventionalusername/password pair to the low-level-credential-application.
 28. Asystem as recited in claim 24, wherein the legacy application never hasaccess to the high-level credential.
 29. A system for authenticating auser to a network, the system comprising; a request obtainer configuredto obtain a request for a credential to authenticate the user to accessa resource within the network, wherein the resource requires anappropriate credential before the user may access the resource; acredential retriever configured to retrieve the appropriate credentialfrom a database of credentials; a credential returner configured toreturn the appropriate credential to the resource within the network, sothat the resource allows the user to access such resource; wherein theobtainer, retriever, and returner are further configured to operatewithout user interaction.
 30. An operating system comprising a system asrecited in claim
 29. 31. A network environment comprising a system asrecited in claim
 29. 32. An application programming interface (API)method comprising: receiving a CredUI-promptfor-credentials call havinga set of parameters comprising a TargetName, Context, AuthFlags, andFlags; parsing the call to retrieve the parameters to determine aspecified resource; obtaining a credential; associating the credentialwith the specified resource; persisting the credential into a databasewhile maintaining the credential's association with the specifiedresource.
 33. A method as recited in claim 32, wherein the set ofparameters further comprises an indicator of a data structure containingcustomized information to display in conjunction with a user interface.34. An application programming interface (API) method comprising:receiving a CredUI-promptfor-credentials call having a set of parameterscomprising a TargetName, UserName, Password, and Flags; parsing the callto retrieve the parameters to determine a requesting application;obtaining a low-level credential from a user, wherein such credentialincludes a username and a password; returning the low-level credentialto the requesting application.
 35. A method as recited in claim 34,wherein the set of parameters further comprises an indicator of a datastructure containing customized information to display in conjunctionwith a user interface.